I’ve noticed that most of the writeups that I’ve seen about OSX artifacts don’t list Core Analytics which seems strange to me. Outside of KnowledgeC there isn’t many other execution artifacts that I’m aware of on OSX. So in checking Mojave on a couple of systems I can report that Core Analytics is still alive and kicking in one of two directories.

If the user when setting up their Mac opted to send data to Apple then the month worth of data will be found under:/Library/Logs/DiagnosticReports/Retired

If the user opted out of sending data to Apple the data will be found under:

/Library/Logs/DiagnosticReports/

Otherwise all the data is in place and Crowdstrike’s script still works.